Synopsys to Buy WhiteHat Security for $330M to Protect AppsWhiteHat Security Excels at Defending Web Applications in Production Environments
Synopsys has agreed to purchase WhiteHat Security from NTT Security for $330 million to safeguard web applications in production environments in an automated, scalable fashion.
The Mountain View, California-based semiconductor and application security testing vendor says its proposed acquisition of San Jose, California-based WhiteHat will provide continuous security testing for hundreds or thousands of applications on live websites in a production-safe manner, according to Jason Schmitt, general manager of the Synopsys Software Integrity Group.
"WhiteHat Security is a pioneer at applying security testing as a service in a production-safe, continuous manner," Schmitt tells Information Security Media Group. "We didn't previously have the ability to do scaled-out, continuous testing of web applications in an automated way."
The $330 million transaction is expected to close in the fiscal quarter ending July 31 and be roughly neutral to Synopsys' non-GAAP earnings per share in the fiscal year ending Oct. 31. Synopsys' stock remains unchanged at $287.03 per share in after-hours trading Wednesday (see: Synopsys, Checkmarx Top Gartner MQ for App Security Testing).
Future of WhiteHat CEO Unclear
WhiteHat Security was founded in 2001, employs 320 people and was acquired by Tokyo-based NTT Security in March 2019 for a reported $315 million, according to LinkedIn and Momentum Cyber. The company was renamed NTT Application Security following the acquisition and has been led since April 2015 by former Hewlett-Packard Americas Networking top executive Craig Hinkley.
Schmitt declined to comment on how many WhiteHat employees will be joining Synopsys or on Hinkley's future with the company, citing the fact that the transaction hasn't yet closed.
"Because it's such a complementary fit to our customer base and the portfolio that we have, it brings immediate value to our customer base," Schmitt says. "We also see it bringing immediate value to the WhiteHat customers from the tools that we offer in static analysis and open source and some other areas. The ability to put together this portfolio that is highly complementary is a unique fit for us."
WhiteHat can both detect zero-day vulnerabilities at scale without interrupting live applications and continuously test applications in development or preproduction environments to see how they do against known exploits, Schmitt says. The company delivers its capabilities using a SaaS platform, which allows for quick onboarding and time to value across the entire software development life cycle, he says.
From Consulting to Automation
Synopsys was historically focused on securing applications during development and prior to shipment by finding code-level bugs early in the process and discovering open-source risks of all sorts, Schmitt says. Having security testing in production environments adds a new dimension to Synopsys' capabilities and expands the company's scope and operational view into live applications, according to Schmitt.
The company traditionally had to rely on consulting services to lock down production environments, but White Hat's automated platform makes it possible to protect more applications in a way that simply isn't possible when the testing requires lots of manual labor. Synopsys plans to preserve the offering that White Hat customers buy today and leverage the Code Dx platform to provide a unified view of risk.
Schmitt expects many WhiteHat customers will adopt Synopsys' Coverity static application security testing and Black Duck software composition analysis offerings so that they can source all of their application security products from a single vendor. WhiteHat customers will also benefit from Synopsys' global presence and investments in support, sales, customer success and service delivery, Schmitt says.
"They haven't had the scale and resources that we have," Schmitt says. "I think the potential is very high."
Synopsys and WhiteHat don't have much customer overlap since Synopsys has a high concentration of high-tech and automotive customers thanks to its heritage in embedded systems and chip design, he says. That's atypical for security firms in emerging areas, who typically focus more on serving industries with lots of early adopters, such as financial services, insurance and health care, according to Schmitt.
From a metrics standpoint, Schmitt says Synopsys is most focused on tracking revenue growth, employee retention and the satisfaction of both existing WhiteHat as well as net new customers. Synopsys is looking to get to and sustain 20% growth in its software integrity business over a multiyear period, according to Schmitt.
"The ultimate goal here is a unified view of software risk, and this is another step toward providing that," Schmitt says. "The mission clarity of that strategy is important to emphasize."